ING Introduces Tool for Safe E-Banking on Infected PCs

ING Direct, the nation's largest online-only bank, said this week that it was giving away a software tool that would allow customers to bank online safely at ING, even if the user's PC was already infected with data-stealing malicious software.

ING made the somewhat bold claim in partnering with an Israeli company named Trusteer, which offers an installable program called Rapport. Trusteer's main invester is a man named Shlomo Kramer, co-founder of Check Point Software, the company that makes and markets the ZoneAlarm firewall products. Kramer is now CEO of Imperva, an application data protection company, which he co-founded with Mickey Boodaei, who is CEO of Trusteer.

Boodaei said Rapport creates a "secure pipe" within the user's computer that encapsulates data as it flows to the ING Direct Web site. Boodei said the software works by assuming control over the application programming interfaces or APIs in Windows, the set of tools which allow software developers to create programs that interact with key Windows functionalities.

Some of today's nastiest data-stealing malware works by hijacking these Windows APIs. For example, keyloggers simply hijack or "hook" the Windows API that handles the transmission of data from user interfaces, such as the keyboard and mouse. A more advanced type of malware - known as a "form grabber" - hijacks the "WinInet" API - which sets up the SSL (think https://) transaction between the user's browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.

Trusteer's software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.

"We analyzed all of the different channels and methods in which attackers can grab credentials from the computer or tamper with communications, and we built a technology that addresses all these threats the same way using the same techniques," Boodaei said.

To log into their accounts, ING customers must enter a customer ID, and then use their mouse to click their password using a PIN pad displayed on their screen. Boodaei said Rapport uses the combination of customer ID and PIN to compute a "hash" value or unique fingerprint tied to those credentials. The software then looks to see if any data matching that hash value is entered in at any site other than ING's. If so, it throws up a warning to the user that they might be trying to enter their ING credentials at a phishing site, and blocks the transmission of that data.

What struck me most about this offering was that it's the first time in a long while that a U.S. bank has publicly raised the idea of installing software on customer systems as a means of combating fraud. ING says it will cover losses for unauthorized activity -- whether or not customers use Rapport -- provided that customer notifies ING of the compromise within 60 days of receiving a statement listing the activity.

Online trading firm Ameritrade tried something similar a few years back with a product from WholeSecurity (since purchased by Symantec), but the offering was never really publicized that well and the program seemed to fade away after a while.

ING keeps its costs low mainly by not having any physical branch locations. Avivah Litan, a fraud analyst with Gartner Inc., said ING's partnership with Trusteer will suffer the same fate as the Ameritrade-Wholesecurity program if one or more of the following things happen:

1- Customers who install the tool flood ING with support calls and questions
2- Nobody adopts it
3- Malware writers figure out a way around it to steal lots of money from customers

Litan said if the offering fails, most banks believe it will be as a result of reason #1.

"The banks are really afraid of getting involved in consumer desktops," Litan said. "Every bank I've talked to about this just doesn't want to go there because they think it means a lot of customer service calls and troubleshooting."

Update, May 27, 5:00 p.m. ET: I installed Trusteer's tool and then set it and ING's site against a keylogger testing suite that tries seven different methods of stealing data. In Windows XP, Trusteer's software failed two of those seven tests, and in Windows Vista it failed one of the tests.

When I confronted Trusteer about the findings, the company said the software required a reboot for it to be fully protective of ING's site. When I retested their product with a reboot after install, their findings checked out. However, Trusteer makes no mention of the need to reboot, and the product says users are fully protected after install.

Trusteer also said the product may not work as described if users are not running as administrator, or if they have configured their browser to run in a limited user mode -- two options that I constantly encourage users to consider to protect themselves online.